PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55849 CycloneDX CVE debrief

CVE-2026-55849 is a high-severity vulnerability in @cyclonedx/cyclonedx-npm, a package used to create CycloneDX Software Bill of Materials from npm projects. The vulnerability affects versions from 2.1.0 before 5.0.0. The CLI passes user-supplied --workspace values to a subshell without proper sanitization when npm_execpath is unset or empty, allowing arbitrary OS command execution with the privileges of the invoking user. This issue is fixed in version 5.0.0.

Vendor
CycloneDX
Product
cyclonedx-node-npm
CVSS
HIGH 8.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Developers and users of @cyclonedx/cyclonedx-npm, especially those using versions between 2.1.0 and 5.0.0, should be aware of this vulnerability and take immediate action to upgrade to version 5.0.0 or apply compensating controls.

Technical summary

The @cyclonedx/cyclonedx-npm package is vulnerable to arbitrary OS command execution due to improper sanitization of user-supplied --workspace values in the CLI. This occurs when npm_execpath is unset or empty, allowing an attacker to execute commands with the privileges of the invoking user. The vulnerability has a CVSS score of 8.5 and is classified as HIGH severity. The issue was introduced in version 2.1.0 and fixed in version 5.0.0.

Defensive priority

High priority should be given to upgrading @cyclonedx/cyclonedx-npm to version 5.0.0 or applying compensating controls to mitigate the risk of arbitrary OS command execution.

Recommended defensive actions

  • Upgrade @cyclonedx/cyclonedx-npm to version 5.0.0 or later
  • Review and restrict user input to the --workspace option
  • Implement compensating controls, such as monitoring and logging
  • Conduct inventory checks to identify affected systems
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

The CVE record was published on 2026-07-08T22:17:15.783Z and last modified on 2026-07-10T19:15:21.853Z. The NVD entry is currently Awaiting Analysis. Limited information is available about the vulnerability's impact and affected scope.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T22:17:15.783Z and has not been modified since then.